CVE-2020-15521

Vulnerability

Zoho ManageEngine Applications Manager before version 14 build 14730 is vulnerable to stored cross-site scripting (XSS) in the jsp/header.jsp component. The application fails to sanitize user-supplied input before rendering it in the header, allowing an attacker to inject arbitrary HTML or JavaScript. This affects all versions prior to build 14730 [2].

Exploitation

An attacker must be authenticated to the Applications Manager console. The attacker can inject malicious script into a field that is later displayed in jsp/header.jsp. When other administrators view the affected page, the script executes in their browser session. No additional user interaction beyond viewing the page is required.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of session cookies, manipulation of the application interface, or further actions such as creating new admin accounts or exfiltrating sensitive data.

Mitigation

The vulnerability is fixed in Zoho ManageEngine Applications Manager build 14730 (version 14) and later. Users should upgrade to this build or newer. No workarounds are documented in the available references [2].